Red tape delayed federal network fixes to Heartbleed vulnerability by several days

Jared Serbu, DoD Reporter, Federal News Radio

An untold number of federal IT systems potentially were left vulnerable to one of
the most serious cybersecurity flaws in history for several days longer than
necessary, not because federal officials didn't know how to fix it, but because it
wasn't clear that they had the legal authority to do so.

The Heartbleed vulnerability originated
from a programming flaw in OpenSSL, a widely-deployed variant of the encryption
system used to protect Web traffic around the world. Security researchers
estimated it could affect up to two-thirds of all Web servers, and agencies
weren't immune. The software's makers issued a fix on April 7, the same day the
vulnerability was made public. Cybersecurity professionals scrambled in the hours
after to determine whether their systems were subject to the flaw and to patch
them if necessary.

But inside the federal government, that process took several days longer than it
needed to because the agency in charge of protecting civilian agency IT systems,
the Department of Homeland Security, didn't have clear legal authority to scan
other agencies' networks, even though it had the technical ability to do so.

"So as fast as we could, we went door-to-door and got a letter of authorization
from each agency, working with each lawyer, to make sure that we could scan their
systems. That cost us five to six precious days in some cases," Phyllis Schneck,
DHS' deputy undersecretary for cybersecurity told the Senate Appropriations
Committee Wednesday. "The whole world knew about this vulnerability and all the
information they could capture, while we were lawyering. If we had the
clarification in law that this was our role, we would have gotten started a lot
faster."

Congress must act

DHS' mandate to protect agencies from cyber threats comes from presidential memos
and a patchwork of federal laws, including the 2002 Homeland Security Act, which
tasks DHS with "response and mitigation" of cyber threats across federal, state
and local agencies and private sector critical infrastructure providers.

"The problem, and I know this from working in the private sector, is that when the
lawyers get involved — and to their credit, they're protecting the company — they
don't really know if we're supposed to be scanning," she said. "This is what
happened with the cabinet-level agencies; we had to scan for Heartbleed."

Schneck said DHS wants Congress to give it explicit statutory authorization to
scan those networks as part of a series of legal changes in proposed cybersecurity
legislation, which would also include liability protections for companies that
share cyber threat information with the federal government.

"It makes it very clear what our authorities are, to help with the information-
sharing across the private sector, and narrowly-targeted liability protection,"
she said. "I came from industry eight months ago and that's very helpful to a
company because it speaks to the general counsel and says, 'This is OK to share
with government and protect others, and the company won't get hurt.'"

Schneck said even though DHS' response to the specific Heartbleed issue was
slower than it should have been, agencies are much safer from hackers seeking to
exploit that vulnerability and others like it than they would have been a few
years ago. DHS says agencies' move toward a regime of continuous diagnostics and
mitigation means they are much more likely to have noticed a bad actor who tried
to make use of the security flaw. She also cited heightened perimeter defenses
around government networks under the Einstein 3-
Advanced (E3A) program as a reason for increased confidence in network
security.

"The system constantly measures how healed up it is and how secure it is, so
you're always aware of behavior that's different," she said. "And as we grow that
system, it will become more and more like your body's immune system: You don't
need to have a conference call to fight a cold. You always know something coming
in and you'll be able to see different bad behaviors across all of the U.S.
government. Across the government, we are very much operational. We very much have
turned a corner. If I could have one wish, it would have been able to act faster
in Heartbleed so that we wouldn't have had to get letters of authorization for
every unique organization that we scanned."

Information sharing showing its value

In the absence of legislation that would authorize more information
sharing, DHS has moved forward with the Enhanced Cybersecurity Services
program, in which a limited number of Internet service providers and other private
companies are able to see some of the government's sensitive and classified cyber
threat signatures. That information is valuable, officials say, because agencies
often have access to information about potential threats long before they emerge
in the private sector.